How does an antivirus work?

When a computer virus infects a computer it must make changes to files on your computer, critical areas like the registry, or sections of memory to spread or damage the computer. An antivirus program protects a computer by monitoring all file changes and the memory for specific patterns that are known or suspicious and warns the user about the action before they are performed. Below is a list of the different forms of virus detection an antivirus can use to protect your computer.

Heuristic-based detection

The most common form of detection is a heuristic-based detection that uses an algorithm to compare the signature of known viruses against a potential threat. Heuristic-based detection allows an antivirus to detect viruses that have not yet been discovered or previous viruses that have been modified or disguised and released as a new virus.

Heuristic-based scanning is the best-known method for detecting new viruses but can also generate false positive matches, which means an antivirus scanner may report a file as being infected that is not infected.

Signature-based or virus dictionary detection

Every antivirus scanner has a virus definition file, database, or dictionary that contains thousands of known virus signatures. These signatures allow an antivirus program to identify past viruses that have been analyzed by security professionals. Today, there are well over 100,000 different known virus signatures that can be used for comparison.

Signature-based detection is an excellent way to prevent past known viruses and is the best method of detection without creating a false warning. However, signature-based detection cannot detect new viruses until the definition file is updated with new virus information.

Behavior-based detection

If a virus has made it past the above detections, the antivirus analyzes the behavior of programs running on the computer. If a program begins to perform strange actions such as modifying or deleting dozens of files, changing settings of other programs, monitoring keystrokes, remotely connecting to computers, or other suspicious actions the antivirus may trigger a warning.

Behavior-based detection is a useful method of finding viruses or other malware that attempt to steal or log information. However, because many programs today may need to report to an online server or log keystrokes to prevent online cheating, it is not uncommon for this type of detection to create false warnings.

Sandbox detection

If a program is suspicious, some antivirus programs can also use sandbox detection, which creates an emulated environment for the program to run and analyze its behavior. If when executed in the emulated environment the program appears to perform destructive or abnormal behavior the antivirus alerts the user before it running it on the computer.

Cloud antivirus detection

Cloud antivirus detection is a type of antivirus protection that uses a small client on the computer that collects information and processes all of the forms of virus detection mentioned above in the cloud. By running all detection in the cloud, the computer requires little processing compared to a full antivirus program running on the computer but does always need an Internet connection.

Full system scan

Finally, a full system scan or individual file scan is a manual action that can be taken by a user to scan all of the files on their computer. To run this type of scan, you must open the antivirus program and select the option to do a full system scan or right-click a file you want to scan and choose the option to scan the file.

A full scan should not be necessary if an antivirus program has been running on your computer and monitoring for changes. However, if your computer is acting suspicious or a new antivirus scanner has been installed it is not a bad idea to run a full scan. Keep in mind that since almost all files are looked at during a full-system scan that these scans can take anywhere between 20 minutes to several hours to complete.